Miggo Logo
Miggo Vulnerability Database
CVE-2025-62517

CVE-2025-62517: rollbar vulnerable to Prototype Pollution in merge()

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-62517
GHSA ID
GHSA-xcg2-9pp4-j82x
EPSS Score
-
CWE
CWE-1321
Published
10/23/2025
Updated
10/23/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rollbarnpm<= 2.26.42.26.5
rollbarnpm>= 3.0.0-alpha1, <= 3.0.0-beta43.0.0-beta5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a prototype pollution issue within the Rollbar.js library, specifically in the merge() and set() utility functions. The advisory mentions that the rollbar.configure() function is the entry point for the vulnerability, which internally uses these utility functions. The provided patches confirm this by showing modifications to src/merge.js and src/utility.js. In both cases, the fix involves preventing the modification of Object.prototype. In merge.js, the result object is now created with Object.create(null), which means it does not have a prototype and is therefore immune to prototype pollution. In utility.js, the set() function now explicitly sets the prototype of the input object to null using Object.setPrototypeOf(obj, null). These changes clearly indicate that the merge and set functions were the sources of the prototype pollution vulnerability. An attacker could exploit this by passing a malicious object to rollbar.configure(), which would then be processed by these vulnerable functions, leading to the pollution of the global Object.prototype.

Vulnerable functions

merge
src/merge.js
The `merge` function was vulnerable to prototype pollution because it initialized an empty object with `{}`, which inherits from `Object.prototype`. A malicious payload could then modify the prototype of all objects in the application. The patch changes this to `Object.create(null)`, which creates an object with no prototype, thus mitigating the vulnerability.
set
src/utility.js
The `set` function in `utility.js` was also found to be vulnerable to prototype pollution. The patch adds `Object.setPrototypeOf(obj, null);` to ensure that any object passed to this function has its prototype set to null, preventing any malicious modification of the Object prototype.

WAF Protection Rules

WAF Rule

### Imp**t Prototyp* pollution vuln*r**ility in m*r**(). I* *ppli**tion *o** **lls `roll**r.*on*i*ur*()` wit* untrust** input, prototyp* pollution is possi*l*. ### P*t***s *ix** in *.**.* *n* *.*.*-**t**. ### Work*roun*s *nsur* t**t v*lu*s p*ss*

Reasoning

T** vuln*r**ility is * prototyp* pollution issu* wit*in t** Roll**r.js li*r*ry, sp**i*i**lly in t** `m*r**()` *n* `s*t()` utility *un*tions. T** **visory m*ntions t**t t** `roll**r.*on*i*ur*()` *un*tion is t** *ntry point *or t** vuln*r**ility, w*i**